Contact form:

ACSC threat report: cyber risk is real

The Australian Cyber Security Centre (ACSC) threat report for 2017 highlights the need for government to ensure that all contractors are diligent in ensuring robust cyber security.

For a long time, it was thought by many that cyber threats were a myth. The Australian Cyber Security Centre’s (ACSC’s) threat report for 2017 makes it clear that cyber threats are real and that Australian government organisations, and their contractors, have already been targets of cyber-attacks. Indeed, the report outlines that in last November the ACSC became aware of an incident on an IT network belonging to a defence contractor.

But while the risk is real, this doesn’t mean that government organisations should resist out-sourcing. With a good understanding of the risk associated with outsourced ICT arrangements and an active consideration of cyber risk when planning procurements, there is no real reason why contracted ICT arrangements should not be an option. This is particularly so as ‘secure’ commercial offerings for government in Australia are becoming increasingly available and economical, when compared to in-house solutions.

As a starting point, it makes good sense for all levels of government to take heed of the Australian Government Information Security Core Policy and its principles of confidentiality, integrity, and availability. These principles should be the basis for mandatory ICT security requirements in procurements that ensure not only that appropriate safeguards are in place, but that suppliers (or potential suppliers) have incident response plans to put into action, should an unexpected cyber threat occur.

The human element can also never be under-estimated when it comes to security. Whether it is an inadvertent mistake, or a deliberate or malicious act, people will always be the weakest link. We have all heard stories about incidents where former employees take, and pass on, documents or information containing commercially sensitive information to a new employer. And while this is a long-standing issue that can impact on professional reputations, it is now one that can pose a real and significant threat to an organisation’s cyber and general security. With this in mind, it is prudent for government organisations to ensure that their contractors have good internal ICT practices and policies that are strongly enforced. This includes strictly managing the departure of staff, and ensuring that there is legal recourse should they act illegally.

Finally, even when outsourcing, government organisations should ensure that they have a crisis communications plan to be put into action should a significant security breach occur. This will not only help make contractors accountable, but be a guide for managing public confidence in the organisation’s handling of an incident.